GitHub is tightening its bug bounty program in response to a surge in low-quality submissions. AI tools have lowered the barrier to entry for security research, and the result is a flood of reports with no proof of concept, theoretical scenarios that fail scrutiny, and findings already listed as ineligible. GitHub hosts over 180 million developers and 600 million repositories. The program is not closing, but the rules are hardening.
Effective immediately, every submission requires a working proof of concept with demonstrated impact, not a description of potential impact. Reports covering known ineligible categories like DMARC configuration, user enumeration, or missing security headers without an attack path will be closed as Not Applicable, which penalizes HackerOne Signal scores. AI-assisted research is explicitly welcome, but the human researcher is accountable for validation. Unvalidated scanner or AI output submitted directly is rejected on the same grounds it always was.
The article is worth reading in full for its shared responsibility breakdown, which is where most submitted reports fail. GitHub argues that scenarios requiring a victim to clone a malicious repo, run untrusted code, or feed attacker-controlled content to an AI tool are not platform security failures. They are user trust decisions. That distinction, backed by a pattern table of common rejected scenarios, defines the actual attack surface researchers should be targeting.
[READ ORIGINAL →]